Report 2018-129 Recommendation Responses
Report 2018-129: Employment Development Department: Its Practice of Mailing Documents Containing Social Security Numbers Puts Californians at Risk of Identity Theft (Release Date: March 2019)
Recommendation for Legislative Action
Because other state agencies may mail full SSNs to Californians, and because this practice—regardless of the agency involved—exposes individuals to the risk of identity theft, the Legislature should amend state law to require all state agencies to develop and implement plans to stop mailing documents that contain full SSNs to individuals by no later than December 2022, unless federal law requires the inclusion of full SSNs. To ensure that state agencies sufficiently prepare to implement this new law, the Legislature should also require that, by September 2019, they submit to it a report that identifies the extent to which their departments mail any documents containing full SSNs to individuals.
If any agency determines that it cannot reasonably meet the December 2022 deadline to stop including full SSNs on mailings to individuals, the Legislature should require that, starting in January 2023, the agency submit to it and post on the agency's website an annual corrective action plan that contains, at a minimum, the following information:
- The steps it has taken to stop including full SSNs on mailed documents.
- The number of documents from which it has successfully removed full SSNs and the approximate mailing volume that corresponds to those documents.
- The remaining steps that it plans to take to remove or replace full SSNs it includes on mailed documents.
- The number of documents and approximate mailing volume that it has yet to address.
- The expected date by which it will stop mailing documents that contain full SSNs to individuals.
Finally, if a state agency cannot remove or replace full SSNs that it includes on documents that it mails to individuals by January 2023, the Legislature should require the agency to provide access to and pay for identity theft monitoring for any individual to whom it mails documents containing SSNs.
Description of Legislative Action
AB 499 (Chapter 155, Statutes of 2020) prohibits a state agency, by January 1, 2023, from sending to an individual any outgoing United States mail that contains the individual's full SSN unless, except in limited circumstances, federal law requires inclusion of the full SSN. This statute also requires each state agency, on or before September 1, 2021, to report to the Legislature when and why it mails documents that contain individuals' full SSNs. Finally, this statute requires a state agency that, by January 1, 2023, is unable to comply with the prohibition to submit an annual corrective action plan to the Legislature until it is in compliance.
AB 56 (Chapter 510, Statutes of 2021) additionally requires a state agency that is unable to comply with the prohibition to submit an annual corrective action plan to the Legislature by December 15 each year until it is in compliance. The statute further specifies that the annual corrective plan shall include the following:
1) The steps the agency has taken to stop including full social security numbers on outgoing United States mail.
2) The number of documents sent as outgoing United States mail from which the agency has successfully removed full social security numbers and the approximate mailing volume corresponding with those documents.
3) The remaining steps that the agency plans to take to remove or replace full social security numbers it includes on documents sent as outgoing United States mail.
4) The number of documents and approximate mailing volume associated with those documents that the agency has yet to address.
5) The expected date by which the agency will stop sending documents that contain full social security numbers as outgoing United States mail to individuals.
AB 12 (Chapter 509, Statutes of 2021) also required a state agency to stop sending any outgoing United States mail containing full SSNs to an individual as soon as feasible, but no later than January 1, 2023.
- Legislative Action Current As-of: March 2022
California State Auditor's Assessment of Annual Follow-Up Status: Legislation Enacted
Description of Legislative Action
AB 499 (Chapter 155, Statutes of 2020) prohibits a state agency, by January 1, 2023, from sending to an individual mail that contains the individual's full SSN unless, except in limited circumstances, federal law requires inclusion of the full SSN. This statute also requires each state agency, on or before September 1, 2021, to report to the Legislature when and why it mails documents that contain individuals' full SSNs. Finally, this statute requires a state agency that, by January 1, 2023, is unable to comply with the prohibition to submit an annual corrective action plan to the Legislature until it is in compliance.
Additionally, AB 12 (Seyarto), AB 56 (Salas), and SB 58 (Wilk) would variously would prohibit EDD from sending any outgoing U.S. mail to an individual that contains the individual's social security number (SSN) with specified conditions.
- Legislative Action Current As-of: March 2021
California State Auditor's Assessment of Annual Follow-Up Status: Partially Implemented
Description of Legislative Action
AB 499 (Mayes) would:
1) Prohibit a state agency from sending any outgoing mail that contains an individual's full social security number unless, under the particular circumstances, federal law requires inclusion of the full social security number.
2) Require each state agency, on or before September 1, 2021, to report to the Legislature when and why it mails documents that contain individuals' full social security numbers.
3) Require a state agency that, in its own estimation, is unable to comply with the prohibition to submit an annual corrective action plan to the Legislature until it is in compliance.
4) Require a state agency that is not in compliance with the prohibition to offer to provide appropriate identity theft prevention and mitigation services to any individual, at no cost to the individual, to whom it sent outgoing United States mail that contained the individual's full social security number.
As of January 2020 this bill is pending in the Senate.
- Legislative Action Current As-of: March 2020
California State Auditor's Assessment of 1-Year Status: Legislation Introduced
Description of Legislative Action
AB 499 (Mayes) would have:
1) Prohibited a state agency from sending any outgoing mail that contains an individual's full social security number unless, under the particular circumstances, federal law requires inclusion of the full social security number.
2) Required each state agency, on or before September 1, 2020, to report to the Legislature when and why it mails documents that contain individuals' full social security numbers.
3) Required a state agency that, in its own estimation, is unable to comply with the prohibition to submit an annual corrective action plan to the Legislature until it is in compliance.
4) Required a state agency that is not in compliance with the prohibition to offer to provide appropriate identity theft prevention and mitigation services to any individual, at no cost to the individual, to whom it sent outgoing United States mail that contained the individual's full social security number.
This bill was not acted upon in the Assembly.
- Legislative Action Current As-of: October 2019